/mandos/trunk : revision 446

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: teddy at bsnet
Date: 2010-09-27 16:27:13 UTC
Revision ID: teddy@fukt.bsnet.se-20100927162713-jucnyd63612ximvw

* mandos-monitor: Change key for removing a client from "r" to "R".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

crl.pem

key.pem

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

100

</cmdsynopsis>

101

102

<command>&COMMANDNAME;</command>

103

<arg choice="plain"><option>--version</option></arg>

104

</cmdsynopsis>

105

106

<command>&COMMANDNAME;</command>

107

<arg choice="plain"><option>--check</option></arg>

108

</cmdsynopsis>

109

</refsynopsisdiv>

110

111

112

<title>DESCRIPTION</title>

113

<para>

114

<command>&COMMANDNAME;</command> is a server daemon which

115

handles incoming request for passwords for a pre-defined list of

116

client host computers. The Mandos server uses Zeroconf to

117

announce itself on the local network, and uses TLS to

118

communicate securely with and to authenticate the clients. The

119

Mandos server uses IPv6 to allow Mandos clients to use IPv6

120

link-local addresses, since the clients will probably not have

121

any other addresses configured (see <xref linkend="overview"/>).

122

Any authenticated client is then given the stored pre-encrypted

123

password for that specific client.

124

</para>

125

</refsect1>

126

127

128

<title>PURPOSE</title>

129

<para>

130

The purpose of this is to enable <emphasis>remote and unattended

131

rebooting</emphasis> of client host computer with an

132

<emphasis>encrypted root file system</emphasis>. See <xref

133

linkend="overview"/> for details.

134

</para>

135

</refsect1>

136

137

138

<title>OPTIONS</title>

139

140

141

142

143

144

<para>

145

Show a help message and exit

146

</para>

147

</listitem>

148

</varlistentry>

149

150

151

<term><option>--interface</option>

152

153

154

155

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

</listitem>

158

</varlistentry>

159

160

161

<term><option>--address

162

<replaceable>ADDRESS</replaceable></option></term>

163

<term><option>-a

164

<replaceable>ADDRESS</replaceable></option></term>

165

166

<xi:include href="mandos-options.xml" xpointer="address"/>

167

</listitem>

168

</varlistentry>

169

170

171

<term><option>--port

172

173

<term><option>-p

174

175

176

<xi:include href="mandos-options.xml" xpointer="port"/>

177

</listitem>

178

</varlistentry>

179

180

181

<term><option>--check</option></term>

182

183

<para>

184

Run the server’s self-tests. This includes any unit

185

tests, etc.

186

</para>

187

</listitem>

188

</varlistentry>

189

190

191

<term><option>--debug</option></term>

192

193

<xi:include href="mandos-options.xml" xpointer="debug"/>

194

</listitem>

195

</varlistentry>

196

197

198

<term><option>--priority <replaceable>

199

PRIORITY</replaceable></option></term>

200

201

<xi:include href="mandos-options.xml" xpointer="priority"/>

202

</listitem>

203

</varlistentry>

204

205

206

<term><option>--servicename

207

208

209

<xi:include href="mandos-options.xml"

210

xpointer="servicename"/>

211

</listitem>

212

</varlistentry>

213

214

215

<term><option>--configdir

216

<replaceable>DIRECTORY</replaceable></option></term>

217

218

<para>

219

Directory to search for configuration files. Default is

220

<quote><literal>/etc/mandos</literal></quote>. See

221

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

222

223

<refentrytitle>mandos-clients.conf</refentrytitle>

224

<manvolnum>5</manvolnum></citerefentry>.

225

</para>

226

</listitem>

227

</varlistentry>

228

229

230

<term><option>--version</option></term>

231

232

<para>

233

Prints the program version and exit.

234

</para>

235

</listitem>

236

</varlistentry>

237

238

239

240

241

<xi:include href="mandos-options.xml" xpointer="dbus"/>

242

<para>

243

See also <xref linkend="dbus_interface"/>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

250

251

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

252

</listitem>

253

</varlistentry>

254

</variablelist>

255

</refsect1>

256

257

258

<title>OVERVIEW</title>

259

<xi:include href="overview.xml"/>

260

<para>

261

This program is the server part. It is a normal server program

262

and will run in a normal system environment, not in an initial

263

<acronym>RAM</acronym> disk environment.

264

</para>

265

</refsect1>

266

267

268

<title>NETWORK PROTOCOL</title>

269

<para>

270

The Mandos server announces itself as a Zeroconf service of type

271

<quote><literal>_mandos._tcp</literal></quote>. The Mandos

272

client connects to the announced address and port, and sends a

273

line of text where the first whitespace-separated field is the

274

protocol version, which currently is

275

<quote><literal>1</literal></quote>. The client and server then

276

start a TLS protocol handshake with a slight quirk: the Mandos

277

server program acts as a TLS <quote>client</quote> while the

278

connecting Mandos client acts as a TLS <quote>server</quote>.

279

The Mandos client must supply an OpenPGP certificate, and the

280

fingerprint of this certificate is used by the Mandos server to

281

look up (in a list read from <filename>clients.conf</filename>

282

at start time) which binary blob to give the client. No other

283

authentication or authorization is done by the server.

284

</para>

285

<table>

286

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

287

<row>

288

<entry>Mandos Client</entry>

289

<entry>Direction</entry>

290

<entry>Mandos Server</entry>

291

</row>

292

</thead><tbody>

293

<row>

294

<entry>Connect</entry>

295

296

</row>

297

<row>

298

299

300

</row>

301

<row>

302

<entry>TLS handshake <emphasis>as TLS <quote>server</quote>

303

</emphasis></entry>

304

305

<entry>TLS handshake <emphasis>as TLS <quote>client</quote>

306

</emphasis></entry>

307

</row>

308

<row>

309

<entry>OpenPGP public key (part of TLS handshake)</entry>

310

311

</row>

312

<row>

313

314

315

<entry>Binary blob (client will assume OpenPGP data)</entry>

316

</row>

317

<row>

318

319

320

<entry>Close</entry>

321

</row>

322

</tbody></tgroup></table>

323

</refsect1>

324

325

326

<title>CHECKING</title>

327

<para>

328

The server will, by default, continually check that the clients

329

are still up. If a client has not been confirmed as being up

330

for some time, the client is assumed to be compromised and is no

331

longer eligible to receive the encrypted password. (Manual

332

intervention is required to re-enable a client.) The timeout,

333

checker program, and interval between checks can be configured

334

both globally and per client; see <citerefentry>

335

<refentrytitle>mandos-clients.conf</refentrytitle>

336

<manvolnum>5</manvolnum></citerefentry>. A client successfully

337

receiving its password will also be treated as a successful

338

checker run.

339

</para>

340

</refsect1>

341

342

343

<title>APPROVAL</title>

344

<para>

345

The server can be configured to require manual approval for a

346

client before it is sent its secret. The delay to wait for such

347

approval and the default action (approve or deny) can be

348

configured both globally and per client; see <citerefentry>

349

<refentrytitle>mandos-clients.conf</refentrytitle>

350

<manvolnum>5</manvolnum></citerefentry>. By default all clients

351

will be approved immediately without delay.

352

</para>

353

<para>

354

This can be used to deny a client its secret if not manually

355

approved within a specified time. It can also be used to make

356

the server delay before giving a client its secret, allowing

357

optional manual denying of this specific client.

358

</para>

359

360

</refsect1>

361

362

363

<title>LOGGING</title>

364

<para>

365

The server will send log message with various severity levels to

366

<filename>/dev/log</filename>. With the

367

<option>--debug</option> option, it will log even more messages,

368

and also show them on the console.

369

</para>

370

</refsect1>

371

372

373

<title>D-BUS INTERFACE</title>

374

<para>

375

The server will by default provide a D-Bus system bus interface.

376

This interface will only be accessible by the root user or a

377

Mandos-specific user, if such a user exists. For documentation

378

of the D-Bus API, see the file <filename>DBUS-API</filename>.

379

</para>

380

</refsect1>

381

382

383

<title>EXIT STATUS</title>

384

<para>

385

The server will exit with a non-zero exit status only when a

386

critical error is encountered.

387

</para>

388

</refsect1>

389

390

391

<title>ENVIRONMENT</title>

392

393

394

395

396

<para>

397

To start the configured checker (see <xref

398

linkend="checking"/>), the server uses

399

<filename>/bin/sh</filename>, which in turn uses

400

<varname>PATH</varname> to search for matching commands if

401

an absolute path is not given. See <citerefentry>

402

403

</citerefentry>.

404

</para>

405

</listitem>

406

</varlistentry>

407

</variablelist>

408

</refsect1>

409

410

411

<title>FILES</title>

412

<para>

413

Use the <option>--configdir</option> option to change where

414

<command>&COMMANDNAME;</command> looks for its configurations

415

files. The default file names are listed here.

416

</para>

417

418

419

<term><filename>/etc/mandos/mandos.conf</filename></term>

420

421

<para>

422

Server-global settings. See

423

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

424

<manvolnum>5</manvolnum></citerefentry> for details.

425

</para>

426

</listitem>

427

</varlistentry>

428

429

<term><filename>/etc/mandos/clients.conf</filename></term>

430

431

<para>

432

List of clients and client-specific settings. See

433

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

434

<manvolnum>5</manvolnum></citerefentry> for details.

435

</para>

436

</listitem>

437

</varlistentry>

438

439

<term><filename>/var/run/mandos.pid</filename></term>

440

441

<para>

442

The file containing the process id of the

443

<command>&COMMANDNAME;</command> process started last.

444

</para>

445

</listitem>

446

</varlistentry>

447

448

449

450

<para>

451

The Unix domain socket to where local syslog messages are

452

sent.

453

</para>

454

</listitem>

455

</varlistentry>

456

457

458

459

<para>

460

This is used to start the configured checker command for

461

each client. See <citerefentry>

462

<refentrytitle>mandos-clients.conf</refentrytitle>

463

<manvolnum>5</manvolnum></citerefentry> for details.

464

</para>

465

</listitem>

466

</varlistentry>

467

</variablelist>

468

</refsect1>

469

470

471

472

<para>

473

This server might, on especially fatal errors, emit a Python

474

backtrace. This could be considered a feature.

475

</para>

476

<para>

477

Currently, if a client is disabled due to having timed out, the

478

server does not record this fact onto permanent storage. This

479

has some security implications, see <xref linkend="clients"/>.

480

</para>

481

<para>

482

There is no fine-grained control over logging and debug output.

483

</para>

484

<para>

485

Debug mode is conflated with running in the foreground.

486

</para>

487

<para>

488

The console log messages do not show a time stamp.

489

</para>

490

<para>

491

This server does not check the expire time of clients’ OpenPGP

492

keys.

493

</para>

494

</refsect1>

495

496

497

<title>EXAMPLE</title>

498

499

<para>

500

Normal invocation needs no options:

501

</para>

502

<para>

503

<userinput>&COMMANDNAME;</userinput>

504

</para>

505

</informalexample>

506

507

<para>

508

Run the server in debug mode, read configuration files from

509

the <filename>~/mandos</filename> directory, and use the

510

Zeroconf service name <quote>Test</quote> to not collide with

511

any other official Mandos server on this host:

512

</para>

513

<para>

514

515

516

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

517

518

</para>

519

</informalexample>

520

521

<para>

522

Run the server normally, but only listen to one interface and

523

only on the link-local address on that interface:

524

</para>

525

<para>

526

527

528

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

529

530

</para>

531

</informalexample>

532

</refsect1>

533

534

535

<title>SECURITY</title>

536

537

<title>SERVER</title>

538

<para>

539

Running this <command>&COMMANDNAME;</command> server program

540

should not in itself present any security risk to the host

541

computer running it. The program switches to a non-root user

542

soon after startup.

543

</para>

544

</refsect2>

545

546

<title>CLIENTS</title>

547

<para>

548

The server only gives out its stored data to clients which

549

does have the OpenPGP key of the stored fingerprint. This is

550

guaranteed by the fact that the client sends its OpenPGP

551

public key in the TLS handshake; this ensures it to be

552

genuine. The server computes the fingerprint of the key

553

itself and looks up the fingerprint in its list of

554

clients. The <filename>clients.conf</filename> file (see

555

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

556

<manvolnum>5</manvolnum></citerefentry>)

557

<emphasis>must</emphasis> be made non-readable by anyone

558

except the user starting the server (usually root).

559

</para>

560

<para>

561

As detailed in <xref linkend="checking"/>, the status of all

562

client computers will continually be checked and be assumed

563

compromised if they are gone for too long.

564

</para>

565

<para>

566

If a client is compromised, its downtime should be duly noted

567

by the server which would therefore disable the client. But

568

if the server was ever restarted, it would re-read its client

569

list from its configuration file and again regard all clients

570

therein as enabled, and hence eligible to receive their

571

passwords. Therefore, be careful when restarting servers if

572

it is suspected that a client has, in fact, been compromised

573

by parties who may now be running a fake Mandos client with

574

the keys from the non-encrypted initial <acronym>RAM</acronym>

575

image of the client host. What should be done in that case

576

(if restarting the server program really is necessary) is to

577

stop the server program, edit the configuration file to omit

578

any suspect clients, and restart the server program.

579

</para>

580

<para>

581

For more details on client-side security, see

582

<citerefentry><refentrytitle>mandos-client</refentrytitle>

583

<manvolnum>8mandos</manvolnum></citerefentry>.

584

</para>

585

</refsect2>

586

</refsect1>

587

588

589

590

<para>

591

592

<refentrytitle>mandos-clients.conf</refentrytitle>

593

594

<refentrytitle>mandos.conf</refentrytitle>

595

596

<refentrytitle>mandos-client</refentrytitle>

597

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

598

599

</citerefentry>

600

</para>

601

602

603

<term>

604

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

605

</term>

606

607

<para>

608

Zeroconf is the network protocol standard used by clients

609

for finding this Mandos server on the local network.

610

</para>

611

</listitem>

612

</varlistentry>

613

614

<term>

615

<ulink url="http://www.avahi.org/">Avahi</ulink>

616

</term>

617

618

<para>

619

Avahi is the library this server calls to implement

620

Zeroconf service announcements.

621

</para>

622

</listitem>

623

</varlistentry>

624

625

<term>

626

<ulink url="http://www.gnu.org/software/gnutls/"

627

>GnuTLS</ulink>

628

</term>

629

630

<para>

631

GnuTLS is the library this server uses to implement TLS for

632

communicating securely with the client, and at the same time

633

confidently get the client’s public OpenPGP key.

634

</para>

635

</listitem>

636

</varlistentry>

637

638

<term>

639

RFC 4291: <citetitle>IP Version 6 Addressing

640

Architecture</citetitle>

641

</term>

642

643

644

645

<term>Section 2.2: <citetitle>Text Representation of

646

Addresses</citetitle></term>

647

648

</varlistentry>

649

650

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

651

Address</citetitle></term>

652

653

</varlistentry>

654

655

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

656

Addresses</citetitle></term>

657

658

<para>

659

The clients use IPv6 link-local addresses, which are

660

immediately usable since a link-local addresses is

661

automatically assigned to a network interfaces when it

662

is brought up.

663

</para>

664

</listitem>

665

</varlistentry>

666

</variablelist>

667

</listitem>

668

</varlistentry>

669

670

<term>

671

RFC 4346: <citetitle>The Transport Layer Security (TLS)

672

Protocol Version 1.1</citetitle>

673

</term>

674

675

<para>

676

TLS 1.1 is the protocol implemented by GnuTLS.

677

</para>

678

</listitem>

679

</varlistentry>

680

681

<term>

682

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

683

</term>

684

685

<para>

686

The data sent to clients is binary encrypted OpenPGP data.

687

</para>

688

</listitem>

689

</varlistentry>

690

691

<term>

692

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

693

Security</citetitle>

694

</term>

695

696

<para>

697

This is implemented by GnuTLS and used by this server so

698

that OpenPGP keys can be used.

699

</para>

700

</listitem>

701

</varlistentry>

702

</variablelist>

703

</refsect1>

704

</refentry>

705

706

707

708

709

Older »